Don’t forget along with all this WMF exploit madness, there is Sober fun in the midst. But experts in the AV community aren’t overly concerned.
If you’ll recall, in December researchers uncovered a bunch of sites that the worm would report back to for more downloads on January 6.
For example, starting January 6 and continuing for 14 days, the URLs are (from F-Secure):
- home.arcor.de/dixqshv/
- people.freenet.de/wjpropqmlpohj/
- people.freenet.de/zmnjgmomgbdz/
- people.freenet.de/mclvompycem/
- home.arcor.de/jmqnqgijmng/
- people.freenet.de/urfiqileuq/
- home.arcor.de/nhirmvtg/
- free.pages.at/emcndvwoemn/
- people.freenet.de/fseqepagqfphv/
- home.arcor.de/ocllceclbhs/
- scifi.pages.at/zzzvmkituktgr/
- people.freenet.de/qisezhin/
- home.arcor.de/srvziadzvzr/
- people.freenet.de/smtmeihf/
- home.pages.at/npgwtjgxwthx/
These URLs are all dead, but this article at CIAC continues with:
At the end of fourteen days they will change to a new set of random URLs. While most of the connection attempts will be to non-existant URLs, the virus writer knows in advance what the URLs will be on any particular day. Thus, when he wants to upload new code, he simply registers the appropriate URL and uploads the new code.
Microsoft just sent me this:
Microsoft has issued Security Advisory #912920 to provide guidance to customers to help protect themselves: (link here) .
Also, Microsoft has added detection for the latest Sober variants to the Malicious Software Removal Tool and Windows Live Safety Center. Customers who believe they are infected can go to http://safety.live.com and choose “Protection Scan” to remove all known variants of Win32/Sober. The Malicious Software Removal Tool will also be updated as part of the regular, security update release cycle on January 10, 2006 to scan and remove any known infections of Win32/Sober.Z from a users’ computer.
Win32/Sober attempts to entice users into opening an attached executable or clicking a malicious URL via an instant message. The worm then sends itself to all contacts in a computer’s address book. The worm does not appear to target a security vulnerability, but rather relies on the user opening the attachment or clicking a link in their instant messaging window to execute. On systems infected by Win32/Sober.Z@mm, the malware is programmed to download and run malicious files from certain Web domains beginning on January 6, 2006. Beginning approximately every two weeks thereafter, the worm is set to begin downloading and running malicious files from additional sites on the same Web domains.
Just keep your AV sigs updated, all should be fine.
Alex Eckelberry